1. This Directive lays down rules on:

2. PNR data collected in accordance with this Directive may only be processed for the purpose of preventing, detecting, investigating, and prosecuting terrorist offenses and serious crime in accordance with Article 6(2)(a), (b), and (c).

1. If a Member State decides to apply this Directive to flights within the EU, it shall notify the Commission thereof in writing. A Member State may make or withdraw such a notification at any time. The Commission shall publish this notification and any withdrawal thereof in the Official Journal of the European Union.

2. Where a notification referred to in paragraph 1 has been made, all provisions of this Directive shall apply to flights within the EU as if they were flights to or from third countries, and to PNR data on flights within the EU as if they were PNR data on flights to or from third countries.

3. A Member State may decide to apply the provisions of this Directive only to selected intra-EU flights. In doing so, the Member State shall indicate which flights it considers necessary in order to achieve the objectives of this Directive. The Member State may decide to change the selected intra-EU flights at any time.

1. Each Member State shall establish or designate an authority competent to prevent, detect, investigate, or prosecute terrorist offenses and serious crime, or designate a department of such an authority, to act as its Passenger Information Unit (PIU).

2. The PIE has the following tasks:

3. The staff of a PIE may be seconded from competent authorities. Member States shall provide the PIEs with adequate resources to perform their tasks.

4. Two or more Member States (the participating Member States) may jointly establish a new body or designate an existing body as their PIE. This PIE shall be considered the national PIE of all participating Member States and shall be established in one of them. The participating Member States shall jointly agree on the operating procedures of the PIE, taking into account the provisions of this Directive.

5. Each Member State shall notify the Commission of the establishment of its PIE within one month of its establishment and may amend that notification at any time. The Commission shall publish the notification and any amendments thereto in the Official Journal of the European Union.

1. The PIE shall appoint a data protection officer responsible for supervising the processing of PNR data and implementing the relevant safeguards.

2. Member States shall provide data protection officers with the resources necessary to perform the tasks referred to in this Article effectively and independently.

3. Member States shall ensure that a data subject has the right to contact the data protection officer, who shall act as the single point of contact, for all matters relating to the processing of that data subject's PNR data.

1. The PNR data transmitted by the air carrier shall be collected by the PIE of the Member State concerned in accordance with Article 8. If the PNR data transmitted by the air carrier contain PNR data other than those listed in Annex I, they shall be permanently deleted by the PIE immediately upon receipt.

2. The PIE processes PNR data exclusively for the following purposes:

3. When carrying out the assessment referred to in paragraph 2(a), the PIE may:

4. The assessment of passengers prior to their planned arrival in or planned departure from the Member State on the basis of paragraph 3(b), in accordance with pre-established criteria, shall be carried out in a non-discriminatory manner. These pre-established criteria shall be targeted, proportionate, and specific. Member States shall ensure that these criteria are established and regularly reviewed by the PIE, in cooperation with the competent authorities referred to in Article 7. These criteria shall under no circumstances be based on the race, ethnic origin, religious, philosophical or political beliefs, trade union membership, health, sex life or sexual orientation of the person concerned.

5. Member States shall ensure that any positive match resulting from the automated processing of PNR data carried out pursuant to paragraph 2(a) is reviewed on a case-by-case basis in a non-automated manner to determine whether the competent authority referred to in Article 7 should take action in accordance with national law.

6. The PNR data of persons identified in accordance with paragraph 2(a) or the result of the processing of such data shall be transmitted by the PNR unit of a Member State to the competent authorities referred to in Article 7 of that Member State for further investigation. Such transfer may only be decided on a case-by-case basis and, in the case of automated processing of PNR data, after a separate non-automated check.

7. Member States shall ensure that the data protection officer has access to all data processed by the PIE. If the data protection officer considers that data processing was not lawful, he or she may refer the matter to the national supervisory authority.

8. The storage, processing, and analysis of PNR data by the PIE shall take place exclusively at a secure location or secure locations within the territory of the Member States.

9. The result of the assessment referred to in paragraph 2(a) of this Article shall not affect the right of persons enjoying the Union right of free movement to enter the territory of the Member State concerned, as laid down in Directive 2004/38/EC of the European Parliament and of the Council(11). Furthermore, where that assessment is carried out in relation to intra-EU flights between Member States to which Regulation (EC) No 562/2006 of the European Parliament and of the Council(12) applies, its consequences shall be in accordance with that Regulation.

1.   Each Member State shall draw up a list of the authorities that are competent to request PNR data or the result of the processing of such data from the PNR system or to receive PNR data or the result of the processing of such data in order to investigate this information further or to take the necessary measures to prevent, detect, investigate, and prosecute terrorist offenses or serious crime.

2. The authorities referred to in paragraph 1 are authorities competent for the prevention, detection, investigation, or prosecution of terrorist offenses or serious crime.

3. For the purposes of Article 9(3), each Member State shall notify the Commission of the list of its competent authorities by May 25, 2017, at the latest, and may amend that notification at any time. The Commission shall publish the notification and any amendments thereto in the Official Journal of the European Union.

4. The PNR data and the processing result of those data received from the PIE may be further processed by the competent authorities of the Member States only for the specific purposes of preventing, detecting, investigating, or prosecuting terrorist offenses or serious crime.

5. Paragraph 4 shall not affect national judicial and law enforcement powers where other criminal offenses or indications thereof are revealed in the course of enforcement measures taken in response to the processing.

6. The competent authorities shall not take any decisions based solely on the automated processing of PNR data that have adverse legal or other significant effects on the data subject. Such decisions shall not be based on the racial or ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, health, sex life, or sexual orientation of the data subject.

1. Member States shall take the necessary measures to ensure that air carriers, using the "push" method, transfer the PNR data listed in Annex I, insofar as they have already collected such data in the course of their normal business operations, to the PNR database of the Member State where the flight will arrive and/or depart. In the case of an international flight that is a code-share flight operated by two or more air carriers, the obligation to transfer the PNR data of all passengers shall be incumbent on the air carrier operating the flight. If a flight to or from third countries includes one or more stopovers at airports in Member States, airlines shall transfer the PNR data of all passengers to the PIUs of the Member States concerned. This also applies in the case of a flight within the EU with one or more stopovers at airports in different Member States, but only in relation to Member States that collect PNR data on flights within the EU.

2. Where air carriers have collected API (advance passenger information) data within the meaning of point 18 of Annex I but do not store such data using the same technical means as for other PNR data, Member States shall take the necessary measures to ensure that air carriers also transmit such data, using the push method, to the PIE of the Member States referred to in paragraph 1. In the event of such a transfer, all the provisions of this Directive shall apply to that API data.

3. PNR data shall be provided by air carriers by electronic means, using the common protocols and supported data formats established in accordance with the examination procedure referred to in Article 17(2), or, in the event of a technical failure, by other appropriate means ensuring an adequate level of data security:

4. Member States shall allow air carriers to limit the transfer referred to in paragraph 3(b) to changes to the transfers referred to in paragraph 3(a).

5. Where access to PNR data is necessary to respond to a specific and concrete threat related to terrorist offenses or serious crime, PNR data shall be provided by air carriers, on a case-by-case basis and at the request of a PIU in accordance with national law, at times other than those specified in paragraph 3.

1. Member States shall ensure that, with regard to persons identified by a PIE in accordance with Article 6(2), that unit transfers all relevant and necessary PNR data or the result of the processing of that data to the corresponding PIEs of the other Member States. The PIUs of the receiving Member States shall, in accordance with Article 6(6), forward the information received to their competent authorities.

2. The PIE of a Member State shall have the right, where appropriate, to request the PIE of another Member State to provide it with the PNR data stored in its database which have not yet been depersonalized in accordance with Article 12(2) by means of masking data elements, as well as, where necessary, the result of processing that data, if the processing has already been carried out in accordance with Article 6(2)(a). That request must be duly justified. It may be based on any data element or combination thereof, as the requesting PIE deems necessary in a particular case for the prevention, detection, investigation, or prosecution of terrorist offenses or serious crime. The PIUs shall provide the requested information as soon as possible. If the requested data has been depersonalized in accordance with Article 12(2) by masking data elements, the PIU shall only provide the full PNR data if it is reasonably believed to be necessary for the purpose referred to in Article 6( (2)(b), and provided that it has obtained the consent of an authority referred to in Article 12(3)(b).

3. The competent authorities of a Member State may, only in emergency situations and under the conditions set out in paragraph 2, directly request the PNR data stored in the database of another Member State from the PNR Central Unit of that Member State. Requests from the competent authorities shall be justified. A copy of the request shall always be sent to the PIU of the requesting Member State. In all other cases, the competent authorities shall submit their request via the PIU of their own Member State.

4.   In exceptional cases, where access to PNR data is necessary to respond to a specific and concrete threat related to terrorist offenses or serious crime, the PIE of a Member State has the right to request the PIE of another Member State to retrieve PNR data in accordance with Article 8(5) and to provide it to the requesting PIE.

5. The exchange of information under this Article may take place through existing channels of cooperation between the competent authorities of Member States. Requests for and exchange of information shall be made in the language customary for the channel chosen. When Member States make the notification referred to in Article 4(5), they shall also provide the Commission with details of the contact points to which requests may be sent in emergencies. The Commission shall communicate these details to the Member States.

1. Within the limits of its powers and for the purpose of performing its tasks, Europol shall have the right to request Member States' PIUs to provide PNR data and the results of processing such data.

2. Europol may, on a case-by-case basis, submit a reasoned request to the PIE of a Member State, via the Europol National Unit, for the transfer of specific PNR data or the result of the processing of such data. Europol may submit such a request when strictly necessary to support or strengthen the actions of Member States aimed at preventing, detecting, or investigating a specific terrorist offense or serious crime, provided that such offense or crime falls within the competence of Europol pursuant to Decision 2009/371/JHA. That request shall set out the reasons why Europol considers that the transfer of PNR data or the result of the processing of PNR data will significantly contribute to the prevention, detection, or investigation of the crime in question.

3. Europol shall inform the Data Protection Officer appointed in accordance with Article 28 of Decision 2009/371/JHA of any exchange of information under this Article.

4. Information exchange under this Article shall be carried out through SIENA and in accordance with Decision 2009/371/JHA. The language used for requesting and exchanging information shall be the language normally used in the context of SIENA.

1. The transfer by a Member State to a third country of PNR data and the result of processing such data stored by the EDPB in accordance with Article 12 shall be permitted only on a case-by-case basis and provided that:

2. Notwithstanding Article 13(2) of Framework Decision 2008/977/JHA, the transfer of PNR data without the prior consent of the Member State from which the data were obtained shall be permitted in exceptional circumstances and only if:

The authority responsible for granting consent shall be informed without delay, and the transfer shall be duly recorded and subject to ex post verification.

3. Member States shall only transfer PNR data to the competent authorities of third countries under conditions that comply with this Directive and after having verified that the intended use of the PNR data by the recipient complies with those conditions and safeguards.

4. The data protection officer of the PIE of the Member State that transferred the PNR data shall be informed whenever the Member State transfers PNR data pursuant to this Article.

1. Member States shall ensure that the PNR data provided by air carriers to the PIE are stored in a database at that PIE for a period of five years after the data have been transferred to the PIE of the Member State of arrival or departure.

2. When a period of six months has elapsed after the PNR data have been transferred in accordance with paragraph 1, the PNR data shall be depersonalized by masking the following data elements from which the identity of the passenger to whom the PNR data relate could be directly inferred:

3. Once the six-month period referred to in paragraph 2 has expired, disclosure of full PNR data shall be permitted only if:

4. Member States shall ensure that PNR data are permanently deleted after the expiry of the period referred to in paragraph 1. This obligation shall not apply if certain PNR data have been transferred to a competent authority and are being used in the context of a specific case for the purpose of preventing, detecting, investigating, or prosecuting terrorist offenses or serious crime; in such cases, the retention of the data by the competent authority shall be governed by national law.

5. The PIE shall not store the result of the processing referred to in Article 6(2)(a) for longer than is necessary to report a match to the competent authorities and, in accordance with Article 9(1), to the PIEs of other Member States. If the result of automated processing proves to be negative after a separate non-automated check as referred to in Article 6(5), it may nevertheless be stored in order to prevent "false" matches in the future, provided that the underlying data is not erased pursuant to paragraph 4 of this Article.

1. Each Member State shall ensure that every passenger has the same rights with regard to the protection of their personal data, as well as the right of access, rectification, and erasure, the right to restriction, the right to compensation, and the right to seek legal remedies, as laid down in national and Union law and in the provisions implementing Articles 17, 18, 19, and 20 of Framework Decision 2008/977/JHA. These articles shall therefore apply.

2. Each Member State shall ensure that the provisions adopted in national law to implement Articles 21 and 22 of Framework Decision 2008/977/JHA on the confidentiality of processing and the security of data also apply to any processing of personal data under this Directive.

3. This Directive is without prejudice to the applicability of Directive 95/46/EC of the European Parliament and of the Council(13) to the processing of personal data by air carriers, and in particular their obligations to implement appropriate technical and organizational measures to protect the security and confidentiality of personal data.

4. Member States shall prohibit the processing of PNR data revealing the race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or sexual orientation of the data subject. If the PIE receives PNR data revealing such information, it shall be deleted immediately.

5. Member States shall ensure that the PIE keeps documentation on all processing systems and procedures under its responsibility. This documentation shall include at least:

The PIE shall make all documentation available to the national supervisory authority upon request.

6. Member States shall ensure that the PIE keeps records of at least the following processing activities: collection, consultation, communication, and erasure. The logs on consultation and disclosure shall contain, in particular, information on the purpose, date and time of consultation or disclosure and, as far as possible, the identity of the person who consulted or disclosed the PNR data and the identity of the recipients of those data. The records shall be used only for verification, internal control, ensuring the integrity and security of the data, or for supervisory control. The PIE shall make all records available to the national supervisory authority upon request.

These registrations are kept for 5 years.

7. Member States shall ensure that their PIE implements appropriate technical and organizational measures and procedures to ensure a high level of security appropriate to the risks represented by the processing and the nature of the PNR data.

8. Member States shall ensure that personal data breaches that are likely to result in a high risk to the protection of personal data or adversely affect the privacy of the data subject are notified without undue delay by the PIE to the data subject and to the national supervisory authority.

1. Each Member State shall provide that the national supervisory authority referred to in Article 25 of Framework Decision 2008/977/JHA shall also be responsible for advising and monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive. Article 25 of Framework Decision 2008/977/JHA shall apply.

2. These national supervisory authorities shall carry out activities pursuant to paragraph 1 with a view to protecting fundamental rights in relation to the processing of personal data.

3. Each national supervisory authority shall:

4. Each national supervisory authority shall, upon request, advise any person concerned on the exercise of his or her rights under the provisions adopted pursuant to this Directive.

1. Any transfer of PNR data by air carriers to CRSs in the context of the application of this Directive shall be carried out by electronic means, with sufficient safeguards in place with regard to the technical security measures and organizational measures relating to the processing to be carried out. In the event of a technical failure, PNR data may be transferred by other appropriate means, provided that the same level of security is maintained and that Union data protection law is fully complied with.

2. With effect from one year after the date on which the Commission has adopted common protocols and supported data formats for the first time in accordance with paragraph 3, any transfer of PNR data by an air carrier to the PIE in the context of the application of this Directive shall be carried out by electronic means, using secure methods that comply with these common protocols. These protocols shall apply to all transfers in order to ensure the security of PNR data during the transfer. PNR data shall be transferred in a supported data format to ensure that the data is readable by all parties involved. All air carriers shall be required to select the common protocol and data format they intend to use for the transfer and to notify the PIE thereof.

3. The list of common protocols and supported data formats shall be established and, where necessary, updated by the Commission by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 17(2).

4. As long as the common protocols and supported data formats referred to in paragraphs 2 and 3 are not available, paragraph 1 shall apply.

5. Within one year of the date of adoption of the common protocols and supported data formats referred to in paragraph 2, each Member State shall ensure that the technical measures necessary to use the common protocols and supported data formats are in place.

1. The Commission shall be assisted by a committee. This committee shall be a committee within the meaning of Regulation (EU) No. 182/2011.

2. Where reference is made to this paragraph, Article 5 of Regulation (EU) No. 182/2011 shall apply.

If the committee has not delivered an opinion, the Commission shall not adopt the draft implementing act, and the third subparagraph of Article 5(4) of Regulation (EU) No 182/2011 shall apply.

1. Member States shall bring into force the laws, regulations, and administrative provisions necessary to comply with this Directive by May 25, 2018, at the latest. They shall forthwith inform the Commission thereof.

When Member States adopt these provisions, they shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. Member States shall determine how such reference is to be made.

2. Member States shall communicate to the Commission the text of the main provisions of national law which they adopt in the field covered by this Directive.

1. On the basis of the information provided by Member States, including the statistical data referred to in Article 20(2), the Commission shall, by May 25, 2020, evaluate all elements of this Directive and submit a report to the European Parliament and the Council, together with an explanatory memorandum.

2. In this evaluation, the Commission shall pay particular attention to:

3. The report referred to in paragraph 1 shall also include an evaluation of the necessity, proportionality, and effectiveness of including in the scope of this Directive the mandatory collection and transfer of PNR data on all or selected flights within the EU. The Commission shall take into account the experience gained in the Member States, in particular in those Member States that apply this Directive to intra-EU flights in accordance with Article 2. The report shall also address the need to include non-airline market participants, such as travel agencies and tour operators offering travel services, including flight bookings, within the scope of this Directive.

4. The Commission shall, if necessary in the light of the evaluation carried out pursuant to this Article, submit a legislative proposal to the European Parliament and to the Council with a view to amending this Directive.

1. Member States shall provide the Commission with annual statistical information on the PNR data provided to the PIUs. These statistics shall not contain any personal data.

2. The statistics shall include at least:

1. Member States may continue to apply bilateral or multilateral agreements or arrangements on the exchange of information between competent authorities that are in force on May 24, 2016, insofar as those agreements or arrangements are compatible with this Directive.

2. This Directive shall be without prejudice to the applicability of Directive 95/46/EC to the processing of personal data by air carriers.

3. This Directive shall not affect existing obligations and commitments of Member States or the Union under bilateral or multilateral agreements with third countries.